Code Execution 07

This exercise is one of our challenges on Code Execution

PRO
Tier
Medium
< 1 Hr.
10937

Course


In the previous challenge, we simplified the task by pre-importing the `os` module. In this lab, however, the `os` module is not pre-loaded, which requires a different approach for code execution. Attempting to use `os.system('id')` directly results in an error since the `os` module is missing. To overcome this, we use the `__import__('os').system(...)` syntax to dynamically load the `os` module and execute the desired command.

The lab involves reviewing a Flask application where user input is passed to an `eval` function without proper filtering, creating a code execution vulnerability. By leveraging the `__import__('os').system(...)` method, participants can execute the `score` command to complete the exercise. This scenario highlights the importance of understanding module imports and the dangers of using `eval` with user-controlled input.

Want to learn more? Get started with PentesterLab Pro! GO PRO